Password Security

u need to include protection on every page you dont want accessed, not just the gateway to the page you want to hide - from what you are saying - if i know the location of the "protected pages" i can just go into my browser and tye "www.somefin/page/location.htm" and i'll be there without password prompt, yes/no?

depending on your server type i think easiest form of access control would be using simple authentication with either auth-rules or htaccess files.. if you are using a programming language for dynamic content cookes/sessions is an option...

That's another problem. You have to determine if user is logged in or not. Maybe you could use INCLUDE to include one site if user's logged or include another one if he isn't.

Also you can use browser authorization (Basic is the most used). You don't have cookies accepted if you use it, although you have to determine if this authorization is set or not.

I think this problem will Java not handle. Try PHP. It's fast and easy.

regards

It's fairly standard for Single Sign-on systems to use an encrypted cookie. Once decrypted, the cookie will reveal the user's identity, and some sort of expiry time. When the user connects, the web server reads the headers, and if the cookie doesn't exist, or has expired, the user is redirected to a login page. (On a Microsoft web server, this would be done with an ISAPI filter - presumably other web servers support similar APIs.) As far as HTTP is concerned, the connections are anonymous.

If you are hosting your site using apache web server, you can turn on follow symbolic links for the directory contains html file. As i know with this setting of a directory you cannot access a file by directly entering the address of the file. Then you can direct your client from your login page...

Thank you for all your responses so far. My problem is that whilst I know what I'm doing with javascript & html using perl or asp or whatever is something I'm not familiar with and am having to learn as I go along.

In response to GtG - those hosting the site do use the apache web server. Unfortunately I am using front page for most of the site and need the front page extensions installed. This effectively makes using the apache web server security options a non-starter.  

Do you / does anyone know how to make use of Front Page's ability to set up sub webs which provide similar protection.

Brendan (bren2310)

As a side note to my comment, the nice thing about that setup is that even if the client doesn't support cookies, they can at least view files in the private directory as long as the web browser stays open, as it re-submits the basic authentication information when required for the private files.  When the browser is closed, if the user wants to access the private files again, they have to re-enter the authentication information, or, if they have a cookie set with the authentication information, the cookie can bypass the need for the basic authentication.  If you searched google for keywords such as "basic authentication http 401 www-authenticate", and the CGI scripting language you're using, you could probably find some good examples.  

This is how I personally protect a web site not meant for the general public.